The Backbone

Security fundamentals form a line of protection

By Jeffrey Carpenter

Aug 01, 2017

For many years, the sage advice for cybersecurity leaders has
been to take a layered approach to security, and those words have
served the industry well. Unfortunately, cracks in those layers continue
to leave organizations vulnerable to security attacks.

In SecureWorks’ 2017 Cybersecurity Threat Insights Report, we
found those cracks are often the result of failing to implement basic—
the effective combination of people, processes and technologies
to protect systems and data. Strong security hygiene requires
knowing your assets, your data, and the controls protecting them.
Yet in the report, our examination of 163 incident response engagements
during the first half of 2016 uncovered failures ranging
from poor patch management to a failure to protect the extended
enterprise to ineffective preparation for incident response.

To understand what organizations need to do to prioritize the
right areas for security spending and what can be done to more
effectively prevent, remediate and respond to threats, cybersecurity
leaders need to start with the fundamentals.

While much of the media focus is often on sophisticated, targeted
attacks, the vast majority of the incidents for which Secure-
Works was engaged in the first half of 2016 (88 percent) were
opportunistic attacks that did not target a specific organization.
Among the incidents in the report in which the initial access vector
was known, phishing was used 38 percent of the time, making
it the most common attack methodology used by attackers. Scan
and exploit was the second most common at 22 percent, while
strategic web compromises and credential abuse comprised 21
percent and 15 percent, respectively.

Removable media was involved in four percent of the incidents.

In terms of defense, the implication here is clear: organizations
need to put an emphasis on addressing the challenge
posed by phishing. Part of that requires educating and training employees to spot phishing emails when
they hit their inboxes. Often, there are
telltale signs—misspellings, requests for
the recipient to do something out of the
norm, etc.—but sometimes there are not.
In targeted attacks, spear-phishing emails
can be even more sneaky than most. It is
common for advanced threat groups to
perform extensive reconnaissance on their
targets before launching an attack, allowing
them to create convincing emails that
take into account details such as the recipient’s
job duties and what IT assets and
data they have access to. With that kind
of information at an attacker’s disposal,
it is likely that someone in the organization
will fall victim, making anti-phishing
technologies like email filtering critical.

Phishing can often lead to credential
theft. Once a phisher has a victim’s username,
password or authentication information,
they can abuse it to gain access to
an account, service or network and take
other actions—including data theft. In
one incident noted in the report, a threat
actor compromised a third-party organization
providing help desk services to
its true target. After compromising the
third-party environment, the threat actor
accessed their actual target. Once inside,
the adversary gained access to administrator
accounts, used them to access Citrix
servers, and stole credentials from those
servers for other systems. Protecting user
credentials and enforcing best practices in
regards to passwords/passphrases is a critical
part of security. Another critical part
is controlling user access and privileges.
To prevent potential abuse by attackers
or insider threats, user privileges should
be limited to the lowest level necessary—
a strategy that could cause culture clashes
between the organization and users accustomed
to not being limited, but also one
that could impair an attack from spreading
if a machine is compromised.

Strategic web compromises involve attackers
infecting legitimate websites their
targets are likely to visit in hopes of infecting
their computers when they do. These
types of drive-by download attacks are
particularly sneaky because they take advantage
of the trust the visitor has in the
site. Although they sometimes use zerodays,
the vulnerabilities are likely known
issues the attacker is hoping the target has
not yet patched. As a result, protecting
against these types of attacks starts with
an effective patch management strategy
that identifies the vulnerabilities affecting
your IT environment and rolls out the appropriate
updates as promptly as possible.

Organizations should scan their networks
and develop an inventory of their
software and devices, then prioritize their
patching according to the risk of an attack
and the damage it could do if successful.
In addition, vulnerability management extends
to weaving security into the app development
process and ensuring the safety
of non-commodity code developed internally
or by a third-party partner.

Of course, corporate security teams are
hardly the only ones doing vulnerability
scans. In the case of the recent Wanna-
Cry ransomware attacks for example, the
threat actors scanned Internet IP addresses
for machines vulnerable to a Microsoft
Windows vulnerability. This type of highvolume
scanning of Internet-facing systems
is a common way for threat actors to
find systems they can exploit, and as noted
above, was observed in nearly a quarter of
the incidents examined in the report. One
of the reasons the ransomware spread so
quickly was that many organizations did
not promptly apply Microsoft’s update despite
it having been available since March.
Buying the latest technology will not solve
the problem posed by an unsecure Web
server left accessible via the Internet.

Building a Solid Base

The bottom line is that organizations need
to take a risk-based approach to security
that goes beyond regulatory compliance.
Our Threat Insights Report outlines a
number of recommendations.

Understand the extended enterprise.
Take a data-centric approach. Define your
key assets, know where they reside and who
has access to them, including third parties.

Increase visibility. By collecting and
monitoring security events, you will be
able to reduce the time it takes to detect
and respond to incidents as well as identify
trends within the infrastructure. At a
minimum, maintain logs on the following
systems for 13 months: firewall, IDS/IPS,
DNS, VPN, Active Directory, Web Services
and critical servers and systems.

Build a culture of security. Everyone
within the organization must take responsibility
for protecting information. This
involves getting buy-in from C-level leaders
as well as other parts of the business
outside IT in order to sell the importance
of smart security behaviors.

Too often, the answer for these challenges
is to buy the latest technology.
However, to truly improve their security,
chief information security officers need
to focus more on people and processes.
One of the mistakes many CISOs make
is to take a compliance-first approach to
security. Taking that type of checkbox approach
does not best serve the organization.
When it comes to cybersecurity, compliance
should be thought of as a floor as
opposed to a ceiling. For example, Secure-
Works has talked to security teams at financial
institutions who spent as much as
40 percent of their time on compliance initiatives
rather than security initiatives that
matter to their organizations. Ironically,
putting a strong emphasis on security will
address most compliance requirements.

Cybersecurity is not a problem that
can be solved with technology alone.
Developing an effective security strategy
means understanding your needs, where
your critical data and assets are, and
what the risk levels are to that information
and those devices. It means training
employees, building an effective patch
management program, and operationalizing
threat intelligence to harden your
defenses. It means implementing strategies
like strong passwords and multi-factor authentication
to control access to critical
systems. Whether sophisticated attackers
are at your doorstep or not, it won’t take
any sophistication to break in if the door
is unlocked.

This article originally appeared in the August 2017 issue of Security Today.